[
https://issues.apache.org/jira/browse/FLINK-8417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17055658#comment-17055658
]
Hwanju Kim edited comment on FLINK-8417 at 3/10/20, 7:24 AM:
-------------------------------------------------------------
I have a basic question on this. I wonder how this is different from
{{AWSConfigConstants.CredentialsProvider.ASSUME_ROLE}} (by FLINK-9686 -
although it says it's for producer, it should be available for consumer as it's
with properties). AFAIK, with ASSUME_ROLE, if correct role ARN with proper
policy/trust relationship is set, cross-account stream access could be
feasible. I may miss some context here about what's currently not supported
(consumer support, or creds expiration issue, or something else?). From the
thread right above, it seems to point to ASSUME_ROLE, but it says it's not
working in TM but in JM, which is little confusing to me.
was (Author: hwanju):
I have a basic question on this. I wonder how this is different from
{{AWSConfigConstants.CredentialsProvider.}}ASSUME_ROLE (by FLINK-9686 -
although it says it's for producer, it should be available for consumer as it's
with properties). AFAIK, with ASSUME_ROLE, if correct role ARN with proper
policy/trust relationship is set, cross-account stream access could be
feasible. I may miss some context here about what's currently not supported
(consumer support, or creds expiration issue, or something else?). From the
thread right above, it seems to point to ASSUME_ROLE, but it says it's not
working in TM but in JM, which is little confusing to me.
> Support STSAssumeRoleSessionCredentialsProvider in FlinkKinesisConsumer
> -----------------------------------------------------------------------
>
> Key: FLINK-8417
> URL: https://issues.apache.org/jira/browse/FLINK-8417
> Project: Flink
> Issue Type: New Feature
> Components: Connectors / Kinesis
> Reporter: Tzu-Li (Gordon) Tai
> Priority: Major
> Labels: usability
>
> As discussed in ML:
> http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/Kinesis-Connectors-With-Temporary-Credentials-td17734.html.
> Users need the functionality to access cross-account AWS Kinesis streams,
> using AWS Temporary Credentials [1].
> We should add support for
> {{AWSConfigConstants.CredentialsProvider.STSAssumeRole}}, which internally
> would use the {{STSAssumeRoleSessionCredentialsProvider}} [2] in
> {{AWSUtil#getCredentialsProvider(Properties)}}.
> [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
> [2]
> https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/STSAssumeRoleSessionCredentialsProvider.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
